Ethernet, the predominant Local Area Network (LAN) technology, had early implementations constructed using a common shared coaxial cable with physical taps. Each tap connected an end node. This provided one shared network segment with no controls, with all of the end nodes being exposed to all of the traffic on the shared 10 megabits of transmit bandwidth. The next step in the evolution of Ethernet LANs introduced structured wiring, using multi-port interconnection devices that created hub and spoke topologies where each end node had a link (a spoke) connected to the multi-port interconnection devices (the hub). The hub provided the added control and the spokes provided private communication paths. The multi-port interconnection devices were first implemented as layer 1 interconnection (repeaters) devices, then later with layer 2 (bridges) devices. The multi-port interconnection devices were in turn interconnected to form a set of interconnected hubs that formed the physical LAN topology. This implementation provided a more controlled environment, limited the end node exposure traffic, and provided private communication paths between the multi-port interconnection devices and the end nodes.
Local Area Networks were organized in physically separate segments and these segments were interconnected by layer 3 devices (routers). These segments are called subnets in the Internet Protocol (IP) as specified by the Internet Engineering Task Force (IETF). Virtual Local Area Networks (VLANs), as specified by the IEEE 802.1D specification, were introduced as a mechanism to separate the logical topology (subnets) from the physical topology (LAN segments). VLANs provided a new topology control method that enabled assignments of end nodes or traffic types to logical topologies and traffic priorities independent of the physical location within the LANs. These assignments were controlled by network management policies and provided the first separation from the physical deployment to the assignment of logical (virtual) LAN segments (VLANs).
Network Access Control (NAC) was then added, which controlled the VLAN or VLANs an end node was allowed to access. One example of an NAC method was specified by the IEEE in the 802.1x specification. The NAC would: authenticate the end node to verify the identity of the end node; optionally do a posture check of the end node to verify the end node software presented no threat; and based on that information would assign the end node to one or more VLANs or deny access to the network. NAC implementations usually contain security authentication information and the associated policy indicating what parts of a network and/or what resources an end node is allowed to access. The policy information is stored on a NAC policy server and this information is utilized by an enforcement point, which acts as a network sentinel to control end node access at the edge of the network.
VLAN assignment controls an end node's network connection to one or more VLANs, but the end node is still restricted to its physical connection point to the network; the traffic filtering, to select the packets needed from passing network traffic, must be done by the end node; the traffic sent to and sent by the end node is not scrutinized to remove security threats without deploying expensive Intrusion Prevention Systems at the edge of the network in line with each end node.